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Abstract: Self-stabiHzation is a strong property that guarantees that a network always 
resume correct behavior starting from an arbitrary initial state. Weaker guarantees have 
later been introduced to cope with impossibility results: probabilistic stabilization only 
gives probabilistic convergence to a correct behavior. Also, weak stabilization only gives the 
possibility of convergence. 

In this paper, we investigate the relative power of weak, self, and probabilistic stabiliza- 
tion, with respect to the set of problems that can be solved. We formally prove that in that 
sense, weak stabilization is strictly stronger that self-stabilization. Also, we refine previous 
results on weak stabilization to prove that, for practical schedule instances, a deterministic 
weak-stabilizing protocol can be turned into a probabilistic self-stabilizing one. This latter 
result hints at more practical use of weak-stabilization, as such algorthms are easier to design 
and prove than their (probabilistic) self-stabilizing counterparts. 
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Stabilisation faible vs. Auto- Stabilisation vs. 
Stabilisation probabiliste 

Resume : L'auto-stabilisation est une propriete forte qui assure qu'un reseau retrouve 

toujours un comportcmcnt correct quel que soit son ctat initial. Des proprietcs plus faibles 
que l'auto-stabilisation ont ete definies pour resoudre des resultats d'impossibilite: l'auto- 
stabilisation probabiliste garantit uniquement une convergence probabiliste vers un compor- 
tcmcnt correct; la stabilisation faible garantit simplement une possibilite de convergence a 
partir de n'importe quel etat du systeme. 

Dans cet article, nous nous interessons aux puissances d'expression relatives de la sta- 
bilisation faible, dc l'auto-stabilisation dctcrministc ct dc l'auto-stabilisation probabiliste. 
Nous prouvons qu'en pratique la stabilisation faible a reellement un pouvoir d'expression 
plus fort que l'auto-stabilisation deterministe {i.e., elle permet de resoudre plus de problemes 
que l'auto-stabilisation dctcrministc). Ensuitc, nous affinons des resultats antcricurs sur la 
stabilisation faible pour prouver que du point de vue pratique un protocole faiblement sta- 
bilisant deterministe peut etre transforme en un protocole auto-stabilisant probabiliste. Ce 
resultat dcmontre I'intcret pratique de la stabilisation faible puisquc dc tcls algorithmcs sont 
plus simples a ccrirc ct a prouver que Icurs equivalents auto-stabilisants (probabilistcs). 

Mots-cles : Systemes distribues, Algorithme distribue. Auto-stabilisation, Stabilisation 
faible. Auto-stabilisation probabiliste 
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1 Introduction 

Self-stabilization [10, 11] is a versatile technique to withstand any transient fault in a dis- 
tributed system or network. Informally, a protocol is self-stabilizing if, starting from any 
initial configuration, every execution eventually reaches a point from which its behavior is 
correct. Thus, self-stabilization makes no hypotheses on the nature or extent of faults that 
could hit the system, and recovers from the effects of those faults in a unified manner. 

Such versatility comes with a cost: self-stabilizing protocols can make use of a large 
amount of resources, may be difficult to design and to prove, or could be unable to solve 
some fundamental problems in distributed computing. To cope with those issues, several 
weakened forms of self-stabilization have been investigated in the literature. Probabilistic 
self-stabilization [17] weakens the guarantee on the convergence property: starting from 
any initial configuration, an execution reaches a point from which its behavior is correct 
with probability 1. Pseudo-stabilization [7] relaxes the notion of "point" in the execution 
from which the behavior is correct: every execution simply has a suffix that exhibits correct 
behavior, yet the time before reaching this suffix is imbounded. The notion of k-stabiliza- 
tion [2] prohibits some of the configurations from being possible initial states, and assumes 
that an initial configuration may only be the result of k faults (the number of faults being 
defined as the number of process memories to change to reach a correct configuration). 
Finally, the weak- stabilization [13] stipulates that starting from any initial configuration, 
there exists an execution that eventually reaches a point from which its behavior is correct. 

Probabilistic self-stabilization was previously used to reduce resource consumption [15] 
or to solve problems that are known to be impossible to solve in the classical deterministic 
setting [14], such as graph coloring, or token passing. Also, it was shown that the well 
known alternating bit protocol is pscudo-stabilizing, but not self-stabilizing, establishing a 
strict inclusion between the two concepts. For the case of fc-stabilization, [12, 18] shows 
that if not all possible configurations are admissible as initial ones, several problems that 
can not be solved in the self-stabilizing setting {e.g. token passing) can actually be solved 
in a ^-stabilizing manner. As for weak-stabilization, it was only shown [13] that a sufficient 
condition on the scheduling hypotheses makes a weak-stabilizing solution self-stabilizing. 

From a problem-centric point of view, the probabilistic, pseudo, and k variants of stabi- 
lization have been demonstrated strictly more powerfuU that classical self-stabilization, in 
the sense that they can solve problems that are otherwise unsolvable. This comforts the 
intuition that they provide weaker guarantees with respect to fault recovery. In contrast, no 
such knowledge is available regarding weak-stabilization. 

In this paper, we address the latter open question, and investigate the power of weak- 
stabilization. Our contribution is twofold: (i) wc prove that from a problem centric point 
of view, weak-stabilization is stronger than self-stabilization (both for static problems, such 
as leader election, and for dynamic problems, such as token passing), and (ii) we show that 
there exists a strong relationship between deterministic weak-stabilizing algorithms and 
probabilistic self-stabilizing ones. Practically, any deterministic weak- stabilizing protocol 
can be transformed into a probabilistic self-stabilizing protocol performing under a proba- 
bilistic scheduler, as we demonstrate in the sequel of the paper. This results has practical 
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impact: it is much easier to design and prove a weak-stabilizing solution than a probabilis- 
tic one; so if new simple weak-stabilizing solutions appear in the future, our scheme can 
automatically make them self-stabilizing in the probabilistic sense. 

The remaining of the paper is organized as follows. In the next section we present 
the model we consider in this paper. In Section 3, we propose weak-stabilizing algorithms 
for problems having no deterministic self-stabilizing solutions. In Section 4, we show that 
under some scheduling assumptions, a weak-stabilizing system can be seen as a probabilistic 
self-stabilizing one. 

2 Model 

Graph Definitions. An undirected graph G is a couple {V ,E) where V is a set of A'' nodes 
and S is a set of edges, each edge being a pair of distinct nodes. Two nodes p and q are said 
to be neighbors iff {p,q} S E. Tp denotes the set of p's neighbors. Ap denotes the degree of 
p, i.e., \Tp\. By extention, we denote by A the degree of G, i.e., A = max({Ap, p G V}). 

A path of lenght A; is a sequence of nodes pq, . . . , Pk such that yi, < i < k, pi and pi+i 
arc neighbors. The path V = po, ■ ■ ■ , Pk is said elementary if Vi,j, < i < j < k, Pi ^ pj. 
A path V = Po, . . . , pfc is called cycle li po, . . . , Pk-i is elementary and po = pk- We call 
ring any graph isomorph to a cycle. 

An undirected graph G = {V ,E) is said connected iff there exists a path in G between 
each pair of distinct nodes. The distance between two nodes p and q in an undirected 
connected graph G = {V ,E) is the length of the smallest path between p and q in G. We 
denode the distance between p and q by d{p,q). The diameter Z? of G is equal to max({(i(p,(7), 
p Aq & V}). The eccentricity of a node p, noted ec(p), is equal to max({d(p,g), q € V)). 
A node p is a center of G if Vg e V, ec{p) < ec{q). 

We call tree any undirected connected acyclic graph. In a tree graph, we distinghish two 
types of nodes: the leaves {i.e., any node p such that Tp = 1) and the internal nodes {i.e., 
any node p such that Tp > 1). Below, we recall a well-known result about the centers in the 
trees. 

Property 1 ([5]) A tree has a unique center or two neighboring centers. 

Distributed Systems. A distributed system is a finite set of communicating state ma- 
chines called processes. Wc represent the communication network of a distributed system 
by the undirected connected graph G = {V,E) where V is the set of N processes and E is a 
set of edges such that Vp,g e V, {p,q} € E iff p and q can directly communicate together. 
Here, we consider anonym,ous distributed systems, i.e., the processes can only differ by their 
degrees. We assume that each process can distinguish all its neighbors using local indexes, 
these indexes are stored in Neigp. For sake of simplicity, we assume that Neigp = {0, . . . , 
Ap — 1}. In the following, wc will indifferently use the label q to designate the process q or 
the local index of q in the code of some process p. 

The communication among neighboring processes is carried out using a finite number 
of shared variables. Each process holds its own set of shared variables where it is the only 
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able to write but where each of its neighbors can read. The state of a process is defined 
by the values of its variables. A configuration of the system is an instance of the state of 
its processes. A process can change its state by executing its local algorithm. The local 
algorithm executed by each process is described by a finite set of guarded actions of the 
form: {label) :: (guard) — »■ (statement). The guard of an action at Process p is a boolean 
expression involving some variables of p and its neighbors. The statement of an action of 
p updates some variables of p. An action can be executed only if its guard is satisfied. We 
assume that the execution of any action is atomic. An action of some process p is said 
enabled in the configuration 7 iff its guard is true. By extention, p is said enabled in 7 ijf 
at least one of its action is enabled in 7. 

We model a distributed system as a transition system S = (C,i— where C is the set of 
system configuration, 1— > is a binary transition relation on C, and X C C is the set of initial 
configurations. An execution of 5 is a maximal sequence of configurations 70, . . . , 7i-i, 7i, 
. . . such that 7o € I and Vi > 0, 7,-1 7, (in this case, 7i_i 1— > 7i is referred to as a step). 
Any configuration 7 is said terminal if there is no configuration 7' such that 7 i-^- 7'. We 
denote by 7 ^ 7' the fact that 7' is reachable from 7, i.e., there exists an execution starting 
from 7 and containing 7'. 

A scheduler is a predicate over the executions. In any execution, each step 7 1— > 7' is 
obtained by the fact that a non-empty subset of enabled processes atomically execute an 
action. This subset is chosen according to the scheduler. A scheduler is said central [10] if it 
chooses one enabled process to execute an action in any execution step. A scheduler is said 
distributed [6] if it chooses at least one enabled process to execute an action in any execution 
step. A scheduler may also have some fairness properties ([11]). A scheduler is strongly 
fair (the strongest fairness assumption) if every process that is enabled infinitely often is 
eventually chosen to execute an action. A scheduler is weakly fair if every continuously 
enabled process is eventually chosen to execute an action. Finally, the proper scheduler 
is the weakest fairness assumption: it can forever prevent a process to execute an action 
except if it is the only enabled process. As the strongly fair scheduler is the strongest fairness 
assumption, any problem that cannot be solved under this assumption cannot be solved for 
all fairness assumptions. In contrast, any algorithm working under the proper scheduler also 
works for all fairness assumptions. 

We call P-variable any variable v such that there exists a statement of an action where 
V is randomly assigned. Any variable that is not a P-variable is called D-variable. Each 
random assignation of the P-variable v is assumed to be performed using a random fimction 
Raiid„ which returns a value in the domain of v. A system is said probabilistic if it contains at 
least one P-variable, otherwise it is said deterministic. Let S = (C,i— >,T) be a probabilistic 
system. Let Enabled(7) bo the set of processes that arc cinablcid in 7 E C. S satisfies: for any 
subset Sub(7) C Enabled(7), the sum of the probabilities of the execution steps determined 
by 7 and Sub is equal to 1. 

Stabilizing Systems. Let S = {C,i-^,T) be a system such that C =1 {n.b., in the following 
any system <S = (C,i— >,X) such that C = I will be simply denoted by 5 = (C,i— >)). Let SV 
be a specification, i.e., a particular predicate defined over the executions of <S. 
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Definition 1 (Deterministic Self-Stabilization [10]) S is deterministically self-stabi- 
lizing for SV if there exists a non-empty subset ofC, noted C, such that: (i) Any execution of 
S starting from a configuration of C always satisfies SV ('Strong Closure Property^, and (ii) 
Starting from any configuration, any execution of S reaches in a finite time a configuration 

of C ('Certain Convergence Property j. 

Definition 2 (Probabilistic Self-Stabilization [17]) S is probabilistically self-stabili- 
zing for SV if there exists a non-empty subset of C, noted C, such that: (i) Any execution 
of S starting from a configuration of C always satisfies SV ( Strong Closure Property ), and 
(ii) Starting from any configuration, any execution of S reaches a configuration of C with 
Probability 1 ('Probabilistic Convergence Property^. 

Definition 3 (Deterministic Weak-Stabilization [13]) S is deterministically weak-sta- 
bilizing for SV if there exists a non-empty subset ofC, noted £, such that: (i) Any execution 
of S starting from a configuration of C always satisfies SV ( Strong Closure Property ), and 
(ii) Starting from any configuration, there always exists an execution that reaches a config- 
uration of C ('Possible Convergence Property^. 

Note that the configurations from which <S always satisfies SV {£) are called legitimate 
configurations. Conversely, every configuration that is not legitimate is illegitimate. 

3 From Self to Weak Stabilization 

In this section, we exhibit two problems that can not be solved by a deterministic self- 
stabilizing protocol, yet admit surprisingly simple deterministic weak- stabilizing ones. Thus, 
from a problem-centric point of view, weak-stabilization is stronger than self-stabilization. 
This result is mainly due to the fact that a given scheduler is appreciated differently when 
we consider self or weak stabilization. In the self-stabilizing setting, the scheduler is seen as 
an adversary: the algorithm must work properly despite the "bad behavior" of the sched- 
uler. Indeed, it is sufficient to exhibit an execution that satisfies the scheduler predicate 
yet prevents the algorithm from converging to a legitimate configuration to prove the ab- 
sence of self-stabilization. Conversely, in weak-stabilization, the scheduler can be viewed 
as a friend: to prove the property of weak-stabilization, it is sufficient to show that, for 
any configuration 7, there exists an execution starting from 7 that satisfies the scheduler 
predicate and converges. As a matter of fact, the effect of the scheduler is reversed in weak 
and self stabilization: the strongest the scheduler is {i.e. the more executions are included 
in the scheduler predicate), the easier the weak-stabilization can be established, but the 
harder self-stabilization is. 

When the scheduler is synchronous [16] (i.e., a scheduler that chooses every enabled pro- 
cess at each execution step) the notions of deterministic weak-stabilization and deterministic 
self-stabilization are equivalent, as proved in the following. 

Theorem 1 Under a synchronous scheduler, an algorithm is deterministically weak-stabi- 
lizing iff it is also deterministically self-stabilizing. 
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Proof. 

If. Consider algorithm V that is deterministically weak-stabilizing under a synchronous 
scheduler. First, V satisfies the strong closure property. It remains then to show that V 
satisfies the certain convergence property. 

By Definition 3, starting from any configuration 7, there exists an execution of P that 
converges to a legitimate configuration. Now, under a synchronous scheduler, there is an 
unique execution starting from 7 because V is deterministic. Hence, V trivially satisfies 
the following assertion "starting from any configuration, any execution of V converges to a 
legitimate configuration under a synchronous scheduler" (the certain convergence property). 

Only If. By Definition, any deterministic self-stabilizing algorithm is also a deterministic 
weak-stabilizing algorithm under the same scheduler. □ 

We now exhibit two examples of problems that admit weak-stabilizing solutions but no 
self-stabilizing ones: the token passing and the leader election. 

3.1 Token Circulation 

In this subsection, we consider the problem of Token Circulation in a unidirectional ring, 
with a strongly fair distributed scheduler. This problem is one of the most studied problems 
in self-stabilization, and is often regarded as a "benchmark" for new algorithms and concepts. 
The consistent direction is given by a constant local pointer Pred: for any process p, Predp 
designates a neighbor q as the predecessor (resp. p is the successor of q) in such way that q 
is the predecessor of p iff p is not the predecessor of q. 

Definition 4 (Token Circulation) The token circulation problem consists in circulating 
a single token in the network in such way that every process holds the token infinitely often. 

In [16], Herman shows, using a previous result of Angluin [1], that the deterministic 
self-stabilizing token circulation is impossible in anonymous networks becaiise there is no 
ability to break symmetry. We now show that, contrary to deterministic self-stabilization, 
deterministic weak-stabilizing token circulation under distributed strongly fair scheduler 
exists in an anonymous unidirectional ring. 

Our starting point is the {N — l)-fair algorithm of Beauquier et al. proposed in [3] 
(presented as Algorithm 1). We show that Algorithm 1 is actually a deterministic weak- 
stabilizing token circulation protocol. Roughly speaking, {N — l)-fairness implies that in 
any execution, (i) every process p performs actions infinitely often, and (ii) between any two 
actions of p, any other process executes at most N — 1 actions. The memory requirement 
of Algorithm 1 is log(mAr) bits per process where niN is the smallest integer not dividing N 
(the ring size). Note that it is also shown in [3] that this memory requirement is minimal 
to obtain any probabilistic self-stabilizing token circulation under a distributed scheduler 
(such a probabilistic self-stabilizing token circulation can be found in [9]). 

A process p maintains a single counter variable: dtp such that d,tp e [0 . . .thn — 1]. This 
variable allows p to know if it holds the token or not. Actually, a process p holds a token 



RR n° 1 



8 



Stephane Devismes , Sebastien Tixeuil , Masafumi Yamashita 



Algorithm 


1 Code for every process p 


Variable: dtp 


G [0.. 


. niN - 1] 


Macro: 






PassTokerip 




dtp ^ (dtpradj, + 1) mod mjv 


Predicate: 






Token(p) 


^ 


/tp ^ ((dtpr^clp + 1) mod nit,)] 


Action: 






A :: Tok 


en{p) 


—>■ PassTokeUp 



M J3i, J^. 

''-qf' "'©r' 

(i) (ii) (iii) 

Figure 1: Example of an execution starting from a legitimate configuration. 



iff dtp 7^ {{dtpredp + 1) modrriAr), i.e., i/f p satisfies Token{p). In this case, Action A is 
enabled at p. This action allows p to pass the token to its successor. 

Figure 1 depicts an execution of Algorithm I starting from a legitimate configuration, 
i.e., a configuration where there is exactly one process that satisfies Predicate Token. In 
the figure, the outgoing arrows represent the Pred pointers and the integers represent the 
dt values. In this example, the ring size N is equal to 6. So, mN — A. In each configuration, 
the only process with an asterisk is the only token holder: by executing Action A, it passes 
the token to its successor. 

Theorem 2 Algorithm 1 is a deterministic weak-stabilizing token passing algorithm under 
a distributed strongly fair scheduler. 

Proof. Given in the appendix (Section A, page 19). □ 



3.2 Leader Election 

In this subsection, we consider anonymous tree-shaped networks and a distributed strongly 
fair scheduler. 

Definition 5 (Leader Election) The leader election problem consists in distinguishing a 
unique process in the network. 
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We first prove that the leader election problem is impossible to solve in our setting in a 
self-stabilizing way. 

Theorem 3 Assuming a distributed strongly fair scheduler, there is no deterministic self- 
stabilizing leader election algorithm in anonymous trees. 

Proof. Consider a chain of four processes Pi, P2, P3 , P4 (a particular case of tree) and a 
synchronous execution (a possible behavior of a distributed strongly fair scheduler). Let us 
denote by {31,82,83,84) any configuration of the system we consider where 8i (i G [1 . . .4]) 
represents the local state of Pi. Let X be the subset of configurations such that 5*1 = 84 
and 52 = 83 (note that 81 = 82 = 83 = 84 is a particular case of such configurations). 
Of course, in any configuration of X, we cannot distinghish any leader. We now show that 
X is closed in a synchronous execution, which proves the impossibility of the deterministic 
self-stabilizing leader election. 

Consider a configuration 7 = {a,b,b,a) of the set X. As we cannot distinghish any leader 
in 7, 7 must not be terminal. So, consider an arbitrary execution starting from 7 and let 7' 
be the configuration that follows 7 in the execution. The three following cases are possible 
for the step 7 1— »• 7': 

- Only Pi and P4 are enabled in 7. As the system is deterministic and the execution is 

synchronous, there only one possible step: Pi and P4 changes their local state in the 
same detcrministical way. So, 81 is still identical to 5*4 in 7', i.e., 7' = {a,b' ,b',a). 

- Only P2 and P3 are enabled in 7. As the system is deterministic and the execution is 
synchronous, there only one possible step: P2 and P3 changes their local state in the 
same deterministical way. So, 82 is still identical to 53 in 7', i.e., 7' = {a,b',b',a). 

- All processes are enabled. In this case, we trivially have 7' = {a' ,b' ,b' ,a') . 

Hence, 7' G X, which proves that X is closed. □ 

We now provide two weak-stabilizing solutions for the same problem in the same setting, 
with different space complexities. Both solutions arc more intuitive and simpler to design 
than self-stabilizing ones in slightly different settings. 

A solution using log N bits. A straighforward solution is to use the algorithm provided 
in [4] . This algorithm uses log N bits and finds the centers of a tree network: starting from 
any configuration, the system reaches in a finite time a terminal configuration where any 
process p satisfies a particular local predicate Center (p) iff p is a center of the tree. From 
Property 1, two cases are then possible in a terminal configuration: either a unique process 
satisfies Center or two neighboring processes satisfy Center. 

If there is only one process p satisfying Center{p), it is considered as the leader. 

Now, assume that there are two neighboring processes p and q that satisfy Center. In 
this case, p (resp. q) is able to locally detect that q (resp. p) is the other center (see [4] for 
details). So, we use an additional boolean B to break the tie. If Bp ^ Bq, then the only 
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(iv) (V) 



Figure 2: Example of possible convergence. 



center satisfying B = true is considered as the leader. Otherwise, both p and q are enabled 
to execute B <— -^B. So, from any configuration where the two centers have been found but 
no leader is distinguished, this is always possible to reach a terminal configuration where a 
leader is distinghished in one step: if only one of the two centers moves. 

Another solution using log A bits. In this solution (Algorithm 2), each process p main- 
tains a single variable: PaVp such that PaVp € Neigp U {-L}. p considers itself as the leader 
iff Pavp =^-. If Parp ^^X, the parent of p is the neighbor pointed out by Parp, conversely 
p is said to be a child of this process. 

Algorithm 2 tries to reach a terminal configuration where: (i) exactly one process / is 
designated as the leader, and (ii) all other processes q point out using Parq their neighbor 
that is the closest from /. In other words. Algorithm 2 computes an arbitrary orientation of 
the network in a deterministic weak-stabilizing manner. 

Algorithm 2 uses the following strategy: 
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Algorithm 2 Code for any process p 

Variable: PaVp e Neigp U {±} 
Macro: 

ChildreUp — {<? ^^iQp- PciVq = p} 
Predicates: 

isLeader{p) = {PaVp — ^) 
Actions: 

Ai :: {Parp j^-L) A (|CWWrenp| = |JVeigp|) — > Parp <— -L 

A2 :: (Parp t^-L) A [iVeigp \ {Childreup U {Parp}) 5^ 0] — > Parp <— (Porp + 1) mod Ap 

A3 :: {Parp =X) A {\Childrenp\ < |Areigp|) — » Parp min^p(Areigp \ Childrenp) 



1. If a process p such that Parp ^± is pointed out by all its neighbors, then this means 
that all its neighbors consider it as the leader. As a consequence, p sets Parp to _L 
(Action Ai), i.e., it starts to consider itself as the leader. 

2. If a process p such that Parp ^1. has a neighbor which is neither its parent nor one of its 
children, then this means that not all processes among p and its neighbors consider the 
same process as the leader. In this case, p changes its parent by simply incrementing 
its parent pointer modulus Ap (Action A2). Hence, from any configuration, it is always 
possible that all processes satisfying Par 7^_L eventually agree on the same leader. 

3. Finally, if a process p satisfies Parp =_L and at least one of neighbor q does not 

satisfy Par^ = p. then this means that q considers another process as the leader. As a 
consequence, p stops to consider itself as the leader by pointing out one of its non-child 
neighbor (Action A3). 

Figure 2 depicts an example of execution of Algorithm 2 that converges. In the figure, the 

circles represent the processes and the dashed lines correspond to the neighboring relations. 
The labels of processes are just used for the ease of explanation. Then, if there is an arrow 
outgoing from process Pj, this arrow designates the neighbor pointed out by Parp^. In 
contrast. Parp. =± holds if there is no arrow outgoing from process Pi. Any label Aj 
beside a process Pj means that Action Aj is enabled at Pj. Finally, some labels Aj are 
sometime asterisked meaning that their corresponding actions is executed in the next step. 

In initial configuration (i), no process satisfies Par =_L, i.e., no process consider itself as 
the leader. However, Pi, P2, P7, and P% are pointed out by all their respective neighbors. 
So, these processes are candidates to become the leader (Action Ai). Also, note that P3, 
P5, and Pe arc enabled to execute Action A2: they have a neighbor that is neither their 
parent or one of their children. Finally, note that P4 is in a stable local state. In the first 
step {i) [ii), Pg and Pg execute their enabled action: in {ii), there is a unique leader 
(Ps) but it has no child, i.e., no other process agrees on its leadership. So Pg is enabled 
to lose its leadership (Action A3). In [ii) ^ {Hi), Ps looses its leadership (Action A3) but 
P2 becomes a leader (Action Ai). So, there is still a unique leader (P2) in the configuration 
(Hi). In the step (Hi) 1-^ (iv), P3 and P5 change their parent to P5 and P3, respectively. As 
a consequence. Action Ai becomes enabled at P5 in (iv). However, P2 is also enabled in (iv) 
to lose its leadership (Action A3). In (iv) 1— > (v), P2 and P5 execute their respective enabled 
action and the system reach the terminal configuration (v). 
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Figure 3: Example of an execution that does not converge. 



Figure 3 illustrates the fact that Algorithm 2 is deterministically weak-stabilizing but not 
deterministically self-stabilizing under a distributed scheduler (for all fairness assumptions). 
Actually Figure 3 show that there is some infinite executions of Algorithm 2 that never 
converge. This example is quite simple: starting from the configuration (i), if the execution is 
synchronous, the system reaches configuration (ii) in one step, then we rctrcivc configuration 
(i) after two steps, and so on. This sequence can be repeated indefinitely. So, there is a 
possible execution starting from [i) that never converges. 

Theorem 4 Algorithm 2 is a deterministic weak-stabilizing leader election algorithm under 
a distributed strongly fair scheduler. 

Proof. Given in the appendix (Section B, page 20). □ 



4 From Weak to Probabilistic Stabilization 

In [13], Gouda shows that deterministic weak-stabilization is a "good approximation" of 
deterministic self-stabilization^ by proving the following theorem: 

Theorem 5 ([13]) Any deterministic weak- stabilizing system is also a deterministic self- 
stabilizing system if: 

- The system has a finite number of configurations, and 

- Every execution satisfies the Gouda's strong fairness assumption where Gouda's strong 
fairness means that, for every transition 71-^7', i/ 7 occurs infinitely often in an 
execution e, then 7 1— > 7' also appears infinitely often in e. 

From Theorem 5, one may conclude that deterministic weak-stabilization and deter- 
ministic self-stabilization are equivalent under the distributed strongly fair scheduler. This 
would contradict the results presented in Section 3. Actually, this is not the case: we prove 

^This result has been proven for the central scheduler but it is easy to see that the proof also holds for 
any scheduler. 
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in Theorem 6 that the Gouda's strong fairness assumption is (strictly) stronger than the 
classical notion of strong fairness. A less ambiguous and more practical characterization of 
deterministic weak-stabilization is the following: under Gouda's strong fairness assumption, 
the scheduler docs not behave as an adversary but rather as a probabilistic one (i.e., a deter- 
ministic weak-stabilizing system may never converge but if it is lucky, it converges). Hence, 
under a distributed randomized scheduler [8] , which chooses among enabled processes with 
a (possibly) uniform probability which are activated, any weak-stabilizing system converges 
with probability 1 despite an arbitrary initial configuration (Theorem 7). 

Theorem 6 The Gouda's strong fairness is stronger than the strong fairness. 

Proof. As Algorithm 1 (page 8) is a deterministic weak-stabilizing token circulation with 

a finite number of configurations, it is also a deterministic self-stabilizing token circulation 
under the Gouda's strongly fairness assumption (Theorem 5). We now show the lemma by 
exhibiting an execution of Algorithm 1 that does not converge under the central strongly 
fair scheduler (a similar counter-example can be also derived for a synchronous scheduler). 

Consider a ring of six processes po, . . . , p^. Consider a configuration 70 where only po 
and pz hold a token. Both po and pz are enabled in 70. Assume that only po passes its token 
in the step 70 1— > 71 • In 71 , pi and p^ hold a token. Assume now that only p^ passes its token 
in the step 71 ^ 73 and so on. It is straightforward that if the two tokens alternatively move 
at each step, then the execution never converges despite it respects the central strongly fair 
scheduler. □ 

We now show that the randomized scheduler defined below is a notion that is, in some 
sense, equivalent to the Gouda's strong fairness. 

Definition 6 (Randomized Scheduler [8]) A scheduler is said randomized if it ran- 
domly chooses with a uniform probability the enabled processes that execute an action in 
each step. 

Note that under a central randomized scheduler, in every step the unique process that 
executes an action is chosen with a uniform probability among the enabled processes. Sim- 
ilarly, under a distributed randomized scheduler, in every step the processes (at least one) 
that executes an action are chosen with a uniform probability among the enabled processes. 

Theorem 7 Let V be a deterministic algorithm having a finite number of configurations. 
V is deterministically self-stabilizing under the Gouda 's fairness assumption iff V is proba- 
bilistically self-stabilizing under a randomized scheduler. 

Proof. Lot T-" be a deterministic algorithm having a finite number of configurations. 

If. Assume that P is deterministically self-stabilizing under the Gouda's fairness as- 
sumption. First, V satisfies the strong closure property. Hence, it remains to show that V 
also satisfies the probabilistic convergence property. 
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Assume, by the contradiction, that there exists an execution e oiV that do not converge 
with a probabiUty 1 under a distributed randomized scheduler. As the number of configura- 
tions of V is finite, there exists at least one configuration 70 that occurs infinitely often in e. 
Then, as V is deterministically self-stabilizing under the Gouda/s fairness assumption, there 
exists an execution 70, 71, . . . , 7fe such that 7^ is a legitimate configuration. Now, as the 
scheduler is randomized, there is a strictly positive probability that 70 1-^ 71 occurs starting 
from 70. Hence, 70 >—>■ 71 occurs with a probability 1 after a finite number of occurences 
of 7o in e and, as a consequence, 71 occurs infinitely often (with the probability 1) in e. 
Inductively, it is then straightforward that Vi € [1 . . .k], ji occurs infinitely often in e with 
the probability 1. Hence, the legitimate configuration 7^ eventually occurs in e with the 
probability 1, a contradiction. 

Only If. Assume that V is probabilistically self-stabilizing under a distributed ran- 
domized scheduler. First, P satisfies the strong closure property. Then, starting from any 
configuration, there exists at least one execution that converges to a legitimate configura- 
tion: V satisfies the possible convergence property. Hence, V is weak-stabilizing and, by 
Theorem 5, V is deterministically self-stabilizing under the Gouda's fairness assumption. □ 

Theorem 7 claims that if the distributed scheduler does not behave as an adversary, 
then any deterministic weak-stabilizing system stabilizes with a probability 1. So, we could 
expect that under a synchronous scheduler, which corresponds to a "friendly" behavior of 
the distributed scheduler, any weak-stabilizing system also stabilizcis. Unfortunately, this 
is not the case: for example, Figure 3 (page 12) depicts a possible synchronous execution 
of Algorithm 2 that never converges. In contrast, it is easy to see that under a central 
randomized scheduler, Algorithms 1 and 2 arc still probabilistically self-stabilizing (to prove 
the weak-stabilization of Algorithms 1 and 2 under a distributed scheduler we never use the 
fact that more that one process can be activated at each step). Hence, this means that in 
some cases, the asynchrony of the system helps its stabilization while the synchrony can be 
pathological. This could seem unintuitive at first, but this is simply due to the fact that a 
synchronous scheduler maintains symmetry in the system. However, it is desirable to have 
a solution that works with both a distributed randomized scheduler and a synchronous one. 
This is the focus of the following paragraph. 

Breaking Synchrony-induced Symetry. We now propose a simple transformer that 
permits to break the symetries when the system is synchronous while keeping the convergence 

property of the algorithm under a distributed randomized scheduler. Our transformation 
method consists in simulating a randomized distributed scheduler when the system behaves 
in a synchronous way (this method was used in the conflict manager provided in [14]): each 
time an enabled process is activated by the scheduler, it first tosses a coin and then performs 
the expected action only if the toss returns true. 

In our scheme, we add a new boolean random variable Bi in the code of each processor i. 
We then transform any action A :: Guar dp, Sa of the input (deterministic weak-stabilizing) 
algorithm into the following action Trains (A): 

Trans(A) :: Guards Bi *— Randi (true, /a/se); if Bi then Sa 
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Of course, our method does not absolutely forbid synchronous behavior of the system: 
at any step, there is a strictly positive probability that every enabled process is activated 
and wins the toss. Such a property is very important because some deterministic weak- 
stabilizing algorithms under a distributed scheduler require some "synchronous" steps to 
converge. Such an exemple is provided below. 

Consider a network consisting of two neighboring processes, p and q, having a boolean 
variable B and executing the following algorithm: 

Algorithm 3 Code for a process i 

Input: j: the neighbor of i 
Variable: Bi : boolean 
Actions: 

Ai (-.Si A --Bj) -Bs ^ Lrue 

A2 (Bi A -.Bj) Bi ^ false 



Trivially, Algorithm 3 is deterministically weak-stabilizing under a distributed strongly 
fair scheduler for the following predicate: (Bp A Bq). Indeed, if {Bp,Bq) = (true, false) or 
{false,true), then in the next configuration, {Bp,Bq) = {false, false) and from such a con- 
figuration, three cases are possible in the next step: (i) only Bp <— true, (ii) only Bq <— true, 
or (in) {Bp,Bq) «— (true,true). In the two first cases, the system retreives a configuration 
where {Bp,Bq) = [true, false) or {false,true). In the latter case, the system reaches a ter- 
minal configuration where {Bp A Bq) holds. Hence, Algorithm 3 requires to converge that p 
and q move simultaneously when {Bp,Bq) = {false, false). The transformed version of Algo- 
rithm 3 trivially converges with the probability 1 under a distributed randomized scheduler 
as well as a synchronous one because while the system is not in a terminal configuration, 
the system regulary passes by the configuration {Bp,Bq) = {false, false) and from such a 
configuration, there is a strictly positive probability that both p and q executes B ^ true 
in the next step. 

Transformer Correctness. Below wc prove that our method transforms any deterministic 
weak- stabilizing system for a distributed scheduler with a finite number of configurations 
into a randomized self-stabilizing system for a synchronous scheduler. The proof that the 
transformed system remains a probabilistically self-stabilizing under a randomized scheduler 
is (trivially) similar and is omitted from the presentation. 

Let Soet = (CDet,i— >Det) bc a system that is deterministically weak-stabilizing for the 
specification SV under a distributed scheduler and having a finite number of configurations. 
Let Coet Q Coet be the (non-empty) set of legitimate configurations of S^et- Let iSprob = 
(Cprob,'— >Prob) bc the probabilistic system obtained by transforming S^et according to the 
above presented method. By construction, any variable v of S-oet also exists in 5prob- So, let 
us denote by j[Ss„ the projection of the configuration 7 € Cprob on the variables of iSoef By 
Definition, V7 G Cprob, 7|SD.t € Coet and Va G Coet, ^1 G Cp^ob such that -y^s^^ = a. 

Definition 7 Let £prob = {76 Cprob : 7|5D.t G -CDet}- 

Lemma 1 (Strong Closure) Any synchronous execution o/<Sprob starting from a config- 
uration of Cprob always satisfies SV. 
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Proof. By Definition, (£prob 7^ 0) and (V7 G >Cprob, 7|<SDet ^ ^^Det), «-e., the projection of 
any configuration of £prob on the variables of S-aet is a legitimate configuration of iSoet- So, 
it remains to show that any configuration 7 G /^Prob satisfies the predicate P = (V7' G Cprob : 

7 l-^Prob 7'> 7' £ 'Cprob)- 

Consider any configuration 7 e >Cprob- 

- If 7 is a terminal configuration (i.e., there is no configuration 7' e Cprob such that 

7 I— >Prob 7'); then 7 trivially satisfies P. 

- Assume now that (37' G Cprob : 7 i-^Prob 7')- Consider then any transition 7 1— >pi.ob 7'. 
In this transition, every enabled process p executes its enabled action TranSp(A) (the 
execution is synchronous). First, any p tosses a coin {Bp <— Randp(frue,/a/se)). Then, 

two cases are possible: 

- // every process p looses the toss {i.e., Raiidp{true,f alse) returns true for any p), 
then no assignment is performed on the variables that are commun to «Sprob and 
Soef As a consequence, ^^^^^ = 715^^ and, trivially, we have 7' G >Cprob- 

- // sorn,e processes win the toss, then we can remark that any assignment of a 
variable commun to iSprob and iSoet performed by Action TranSj,(A) exists in Ac- 
tion kp. Now, iSoet satisfies the strong closure property for the set Coet under a 
distributed scheduler. So, Y^g^^ G C^et, *-e., 7' G £prob- 

Hence, for any transition 7 i-^Prob l', we have (7 G -Cprob) (7' S £prob), i-^., 7 
satisfies P. 

□ 

As we assume that Coet is finite and the variables of <Sprob and S^et differ by just a 
boolean, the following observation is obvious: 

Observation 1 Cprob is a finite set. 

Lemma 2 V7 G Cprob; ^7' G £prob> 7'^ 7' under a synchronous scheduler. 

Proof. Let 70 G Cprob- Consider the configuration ao such that 7o|5B<,t = ao- By 
Definition, there exists an execution of S^et- c^o, • • • , ctk such that ak G Coet- Now, for any 
execution ao, ■ • ■ ) ctfe of Soet there exists a corresponding execution of >Sprob: 7o, • • • , 7/s 
such that Vi G [1 . . . fc], 7j|5o.j = cti. Indeed: 

(1) The set of enabled processes is the same in ai-i and 7,-1, and 

(2) Any step 7^-1 1-^ 7^ is performed if the subset of enabled processes that win the toss 
during 7j_i 1— > ji is exactly the subset of enabled processes that are chosen by the 
distributed scheduler in a,_i 1— > aj. 

Since, 7fc|Si,„ = cth and ak G ^oet, we have 7fe G -Cprob and the lemma is proven. □ 
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Lemma 3 (Probabilistic Convergence) Starting from any configuration, any synchro- 
nous execution of Sprob reaches a configuration of Cproh with the probability 1. 

Proof. Consider, by the contradiction, that there exists an execution e of iSp^ob that do 
not reach any a configuration of >Cprob with the probabihty 1. Then, by Lemma 2, while 
the system is not in a legitimate configuration it is not in a terminal configuration and, 
as a consequence, e is infinite. Moreover, as the number of possible configurations of the 
system is finite (Observation 1), there is a subset of configurations W C Cprob \ ^.-prdb that 
appears infinitely often in e. By Lemma 2 again, there is two configuration 7 e W and 
7' G Cprob \ W such that 7 i^prob l' but the step 7 1— >Prob 7' never appears in e. As execution 
is synchronous, every enabled process executes an action from 7 and depending on the 
tosses, there is a strictly positive probability that the step 7 1— s-prob 7' occurs from 7. Now, 
as 7 appears infinitely often in e, the step 7 1— >prob 7' is performed after a finite number of 
occurences of 7 in e with the probability 1, a contradiction. □ 

By Lemmas 1 and 3, we get: 

Theorem 8 Assuming a synchronous scheduler, iSprob is a probabilistic self-stabilizing sys- 
tem for SV. 

Using the same approach as for Theorem 8, the following result is straighforward. 

Theorem 9 Assuming a distributed randomized scheduler, Sproh is a probabilistic self- 
stabilizing system for SV. 

5 Conclusion 

Weak-stabilization is a variant of self-stabilization that only requires the possibility of con- 
vergence, thus enabling to solve problems that are otherwise impossible to solve with self- 
stabilizing guarantees. As seen throughout the paper, weak-stabilizing protocols are much 
easier to design and prove than their self-stabilizing counterparts. Yet, the main result of 
the paper is the practical impact of weak-stabilization; all deterministic weak-stabilizing 
algorithms can automatically be turned into probabilistic self-stabilizing ones, provided the 
scheduling is probabilistic (which is indeed the case for practical purposes). Our approach 
removes the burden of designing and proving probabilistic stabilization by algorithms de- 
signers, leaving them with the easier task of designing weak stabilizing algorithms. 

Although this paper mainly focused on the theoretical power of weak-stabilization, a goal 
for future research is the quantitative study of weak-stabilization, evaluating the expected 
stabilization time of transformed algorithms. 
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A Proof of Theorem 2 

Definition 8 (TokenHolders) Let •y be a configuration. Let TokenHolders(7) be the set of 

processes p satisfying Token{p) in the configuration 7. 

Definition 9 (CCSST) Let CCSET be the set of configurations 7 such that 7 satisfies 
|TokenHolders(7)| = 1. 

Definition 10 (PredPath) Let p and q be two distinct processes. We call PredPath(p, q) 
be the unique path po, . . . , Pk such that: (1) po = p, (2) yi € [I . . .k], Predp^ = Pk-i, and 
Pk = q- 

Remark 1 Let p and q be two distinct processes. PredPath(p, q) ^ PredPath(p, q) . 

Definition 11 (MTD: MinTokenDistance) Let ^ be a configuration such that 7 satisfies 
|TokenHolders(7)| > 1. We denote by MTD(7) the length of the shortest path PredPath(p, q) 
such that Token{p) and Token{q) in 7. 

Lemma 4 For any configuration 7, we have |TokenHolders(7)| > 0. 

Proof. Assume, by the contradiction, that there is a configuration 7 such that 

|TokenHolders(7)| = 0. Let po, . . . , Pn~i be an hamiltonian path of processes such that, 
Vi G [0 . . . - 1], Pi = Predp^.^^^ „. Then, (Vi e [0 . . . AT - 1], -^Token{pi)) implies that 
(Vi e [0...A'' — 1], [(^^^(i+i) N ~ ((^^Pi + 1) ™od mjv)]) which is not possible because 
[N mod mjv) 7^ 0, a contradiction. □ 

Lemma 5 (Possible Convergence) Starting from any configuration, there exists at least 
one possible execution that reaches a configuration 7 e CCSET. 

Proof. Any configuration satisfies jTokenHoldersj > by Lemma 4. Consider any 

configuration 7 satisfying |TokenHolders(7)| > 1. Let us study the two following cases: 

MTD(7) = 1. In this case, there exists two processes j? and q such that |PredPath(p,(7)| = 1, 
i.e., p is the predecessor of q and both p and q satisfies the predicate Token {i.e., both p and 
q hold a token). If only p executes Action A in the next step, then p satisfies -Token in the 
next configuration 7' and, as the consequence, |TokenHolders(7')| < |TokenHolders(7)|. 

MTD(7) > 1. Let consider two processes p and q such that |PredPath(p,g)| = MTD(7). 
Then, Action A is enabled at p and if only p moves in the next step, then |PredPath(p,g)| 
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decreases of one unit in the next configuration. Hence, inductively there exists an execution 
from 7 that reaches a configuration 7' such that MTD(7') = 1. 

Hence, from any configuration 7 such that |TokenHolders(7)| > 1 there always exists 
an execution where the cardinal of TokenHolders eventually decreases and the lemma is 
proven. □ 

Lemma 6 (Strong Closure) Any execution starting from a configuration 7 such that 7 G 
CjCSET always satisfies the specification of the token circulation. 

Proof. To prove this lemma we show that V7 e CCSST, V7 1-^ 7', (1) 7' e CCSST 
{CCSST is closed) and (2) the token holder in 7' is the successor of the token holder in 7. 

Consider a configuration 7 such that |TokenHold.ers(7)| = 1. Let q be the only process 
satisfying Token{q) in 7. Let p and s be the predecessor and the successor of q in 7, 
respectively. Then, in 7, q is the only enabled process, dtq ^ {{dtp + 1) modmjv), and 
dts = {{dtq + 1) mod tun)- During the next step, q executes A and, as a consequence, 
dtq = {{dtp + 1) mod tun) and dts {{dtq + 1) mod mjv) in the next configuration 7': s is 
the only token holder in 7', which proves the lemma. □ 

Proof of Theorem 2. By Lemmas 5 and 6, the theorem is obvious. □ 

B Proof of Theorem 4 

Definition 12 (ParPath) We ca/^ ParPath(p) the unique maximal path pq, pk such 
that: (1) Pk = p, (2) \/i € Par^ = Pi-i, and (3) po satisfies [{Parpg 7^_L) 

{Parpar^^ =Po)]- 

Notation 1 Let p be a process. In the following, we denote by Root(p) the initial extremity 
o/ParPath(p) (n.h., {Parp =_L) (Root(p) =p)). 

Remark 2 As the network is acyclic, for any process p, ParPath(p) has a finite length. 

Definition 13 (jCC) Any configuration 7 satisfies the predicate CC{'y) iff the two following 
conditions hold in ^: (1) there exists exactly one process p that satisfies Parp =_L and (2) 
for any process q^ p, Root(g') = p. 

Remark 3 There is exactly one process satisfying isLeader in any configuration 7 satisfying 

CC{j). 

Lemma 7 In any configuration where every process satisfies -lisLeader, there exists at least 
one process p such that Action Ai is enabled at p. 
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Proof. Let N ear estC enter [p) be the center process at the smallest distance from the 
process p. Let VMCmax — [-0/2] be the maximal distance between any process p and 
NearestCenter{p) . Let 'DJ\fC^^{p) — VAfCmax ~ d{p,N ear estC enter {p)). 

Assume, by the contradiction, that there exists a configuration 7 where every process 
satisfies ^isLeader and no Action Ai is enabled. We show the contradiction in two steps: 

Step 1. First, we prove that any process p such that 'DMC~^{p) = d with < d < 
VNCmax (actually the non-center processes) satisfies Parp = 5 in 7 with VNC~^{q) = d+1. 

Step 2. Then, wc show the contradiction using Step 1. 

Step 1. (by induction) 

Induction for d = 0. By Definition, any process p such that T)J\fC~^{p) = is a leaf 
node. As p satisfies -iisLeader{p), Parp = q holds in 7 where q is the only neighbor of p. 
Now, by definition, VJ\fC~\q) = VJ\fC~\p) + 1 = 1. Hence, the induction holds for d = 0. 

Induction Assumption: Let k e [0. . .VAfCmax — !]• Assume that any process p such 
that < VNC~'^(p) < k satisfies Parp = g in 7 with VJ\fC~'^{q) =k + l. 

Induction for d = k + 1. Consider a process p such that 'DJ\fC~^{p) = A; + 1. Then, 
T>J\fC~^{p) < VMCmax and, by definition, p has one neighbor q such that T>J\fC~^{q) = k + 2 
and all its other neighbors q' satisfies T>MC~^(q') = k. Assume, by the contradiction, that 
Parq = V with VMC~^{v) = k. Then, any other v's. neighbor, u', satisfies 'DAfC~^{v) = k—1. 
Hence, by induction assumption, any process v' satisfies Par^' = v. Now, Pary because 
V satisfies -^isLeader{v). So, Action Aj is enabled at u, a contradiction. Hence, Parp = q 
where q is the only neighbor of p such that 'DAfC~^{q) = k + 2 and the induction holds for 
d = k + l. 

Step 2. 

We now show the contradiction. By Property 1 (page 4), we can split our study in the 
two following cases: 

There is one center c in the network. In this case, any neighbor of c, c', satisfies 
VAfC-^{c') = VMC 

max ~ 1- In this case, any process c' also satisfies Pare' — c (Step 
1). Now, Pare because c satisfies ^isLeader{c). So, Action Ai is enabled at c, a 
contradiction. 

There is two neighboring centers cq and ci in the network. In this case, any non-center 
neighbor of q (z e {0, 1}), c-, satisfies 'DMC~^{c[) = VMCmax — ^- In this case, any process 
also satisfies Par^', = Ci (Step 1). Assume now, by the contradiction, that one the centers Ci 
(?: e {0, 1}) satisfies Par,., = c[ where c'^ is a neighbor such that VUC^^{c[) = VAfCmax - 1- 
Then, any other c^'s neighbor also satisfies Par = (Step 1). Now, Pare'. t^-L because 
satisfies -^isLeader{c^). So, Action Ai is enabled at c-, a contradiction. Hence, Parca = ci 
and Parci = cq and Action Aj is both enabled at cq and Ci, a contradiction. □ 

The following corollary simply holds by the fact that after executing Action Ai, a process 

satisfies isLeader. 

Corollary 1 Starting from any configuration, the system can reach in at most one step a 
configuration where at least one process satisfies isLeader. 
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Lemma 8 From any configuration where at least one process satisfies isLeader, there is a 
possible execution that reaches a configuration 7 satisfying CC{'y). 

Proof. Let p be a process satisfying isLeader{p) . Let Tree{p) ~ {q E V, Root((jf) = p}. 
First, from Definition 13, we can trivially deduce that a configuration satisfies £C iff it 
contains a unique tree Tree{p) such that Tree{p) = V. 

Consider then a configuration 7 satisfying -^CC^j) where there exists a process p satis- 
fying isLeader(p). So, Tree{p) C V. Let NonTree{p) = V\Tree{p). To prove this lemma, 
we just show below that from such a configuration 7 is always possible to reach (in a finite 
number of step) a configuration 7' where the cardinal of NonTree{p) decreased. 

First, p satisfying isLeader{p) in 7, so, Tree{p) 7^ in 7. Then, as 7 satisfies -i£C(7), 
NonTree{p) ^ and, as the network is connected, there two neighboring processes v and 
w such that v G Tree{p) and w G NonTree{p) in 7. Also, PaVy ^ w and PaVw ^ t; in 7 by 
Definition 12. Consider then the two following cases: 

- Parw in 7. In this case. Action A2 is enabled at w until (at least) Paryj = v. Now, 
after at most A^, — 1 executions of Action A2, Par^ points out to v. Hence, if only 
actions A2 at w arc executed until Par^j points out to v, there is an execution from 7 
that reaches a configuration 7' where \NonTree{p)\ decreases of one unit. 

- Par^j =_L in 7. In this case, as Par^ ^ w, Action A3 is enabled at w. If only w moves 
in the next step, then either (1) Par^ points out to v in the next configuration and 
\NonTree{p)\ decreases of one unit, or (2) PaVyj ^ in the next configuration 
and we retreive the previous case. 

Hence, from any configuration 7 satisfying where there is a process p satisfying 

isLeader{p), it is always possible to reach a configuration 7' where \NonTree{p) \ decreased. 
□ 

By Corollary 1 and Lemma 8, follows: 

Lemma 9 (Possible Convergence) Starting from any configuration, there exists at least 
one possible execution that reaches a configuration 7 satisfying CC{'y). 

Lemma 10 (Strong Closure) Let j be a configuration. 7 satisfies jC,C{j) iS j is a termi- 
nal configuration. 

Proof. 

If. Consider a configuration 7 satisfying CC{j). Let p be the only process that satisfies 
Par =_L in 7. By Definition 13, any neighbor p' of p satisfies Parpi = p and, as a conse- 
quence, p is disabled. Consider now any process q such that Par, ^_L. As we are in a tree 
network, there is only one path linking any process q to p, so, by Definition 13, any process 
q points out with Parq the unique neighbor q' whereby it can reach p, q' does not point out 
to q with PaVqi, and all other neighbors of q points out to q with their Par pointer. As a 
consequence, any process q is disabled. Hence, 7 is a terminal configuration. 
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Only If. (by the contraposition) By Lemma 9, any configuration 7 satisfying -i£C(7) is 
not terminal. □ 

Proof of Theorem 4. Follows from lemmas 9 and 10, and Remark 3. □ 
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